Sun Identity Manager 8.1 Resources Reference

Adapter Details

Resource Configuration Notes

This section provides instructions for configuring Domino resources for use with Identity Manager, including:

General Configuration Instructions

Use these procedures to set up a Domino resource adapter:

ProcedureSetting Up a Domino Resource Adapter

  1. Create the Identity Manager administrator in Domino. Use a certifier ID that has access to all organizations needed to manage users.

  2. Add the user to the access control list (ACL) of the address book for the server, names.nsf.

    1. Give the user Editor access.

    2. Assign the user the following roles:

      • GroupModifier

        • UserCreator

          • UserModifier

  3. Add the user to the ACL of the registration log, certlog.nsf, with Depositor access.

  4. Add the user to the ACL of the Administration Requests, admin4.nsf, with Depositor access.

  5. Add the newly created user to server security:

    1. Open the Security panel to edit the server configuration.

    2. If access to the Domino server is restricted, make sure the Identity Manager proxy account has access to the server. This is done by specifying the account name or a group to which the proxy account belongs in the Access Serverfield.

    3. If there is a before or after action that calls a Domino agent, the user might need to be added to the Run unrestricted LotusScript/Java agentsor Run restricted LotusScript/Java agentfield, depending on how the agent being called is configured.

Installing the Gateway to Support Domino

For the gateway to talk with Domino, there must be a Notes client already installed on the gateway machine

Add the following string values to HKEY_LOCAL_MACHINE\SOFTWARE\Waveset\Lighthouse\Gateway in the Windows registry to ensure Domino works properly:


Note –

Make sure the Notes client is running with a network-enabled profile. If you change the network connection after you copy the ini file, you must re-copy it or run the client through the command line, as in:

C:\Lotus\Notes\notes.exe=PathToIniFile

Identity Manager Installation Notes

No additional installation procedures are required on this resource.

Usage Notes

This section provides information related to using the Domino resource adapter, which is organized into the following sections:

You can used aliased groups when using Identity Manager to create a Domino group. Names of aliased groups are represented by this syntax: Group1;alias1;alias2. Note that when a group name appears in a list, you will see the primary name only.

Recertification Process

The recertification process is done using the Boolean user attribute named “recertify.” During an update operation the attribute is checked; if enabled, the user ID is recertified.

The recertification process is done through the adminp process, meaning we generate an adminp request and the recertification of the ID gets done at some point afterwards. The timing of the recertification will depend on configuration of the Domino server.

Changing Passwords

Lotus users have two different passwords:

The adapter can be configured to manage one or both of these passwords.

Managing HttpPasswords Only

Configure the Domino Gateway adapter as follows to manage HttpPasswords but not ID file passwords.

Managing HttpPasswords and ID File Passwords

Configure the Domino Gateway adapter as follows to manage ID file passwords from the User interface and HttpPasswords from the Administrator and User interfaces.

Managing ID File Passwords Only

Configure the Domino Gateway adapter as follows to manage ID file passwords from the User interface without managing HttpPasswords.

Disabling and Enabling

In Domino 6.0 and later, the preferred method to disable a user is to set the CheckPassword account attribute to 2. However, the 5.x method of adding a user to a DENY GROUP may still be used.

Early versions of Domino do not implement a native disable flag for each user, so each user disabled is placed in a DENY GROUP. When enabled, they are removed as members of any of the defined groups. DENY GROUP has a maximum number of members threshold so the group has to be specified as an account attribute to the resource. This requires an additional DenyGroups account attribute to be passed to the resource. DenyGroups can be set during a Disable, Enable, or Deprovision, but will not be fetched without additional coding.

When deprovisioning or disabling, you must send a list of DenyGroups that the user will be added to. When enabling, you must send a list of DenyGroups that the user will be removed from.

The available DenyGroups can be fetched from the resource with the following code:

<invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’>
    <ref>:display.session</ref>
    <s>DenyLists</s>
    <s>YourResourceName</s>
    <null/>
    <s>false</s>
 </invoke>

The currently assigned DenyGroups can be fetched on a disable, enable, or deprovision form with this code:

<invoke name=’getList’>
    <invoke name=’getView’>
       <ref>display.session</ref>
       <concat>
          <s>UserViewer:</s>
          <ref>resourceAccounts.id</ref>
       </concat>
       <map>
          <s>TargetResources</s>
          <list>
             <s>YourResourceName</s>
          </list>
       </map>
    </invoke>
    <s>accounts[YourResourceName].DenyGroups</s>
 </invoke>

In the enable, disable, and deprovision forms, you must address the DenyGroups attribute as:

resourceAccounts.currentResourceAccounts [YourResourceName].attributes.DenyGroups

The following example defines a field in the disable form that lists the available DenyGroups in the left hand side of a multi-select box:

<Field name=’resourceAccounts.currentResourceAccounts [
  YourResourceName].attributes.DenyGroups’>
    <Display class=’MultiSelect’>
       <Property name=’title’ value=’Deny Groups’/>
       <Property name=’required’>
          <Boolean>false</Boolean>
       </Property>
       <Property name=’allowedValues’>
          <invoke name=’listResourceObjects’ class=’com.waveset.ui.FormUtil’>
             <ref>:display.session</ref>
             <s>DenyLists</s>
             <s>YourResourceName</s>
             <null/>
             <s>false</s>
          </invoke>
       </Property>
       <Property name=’availableTitle’ value=’Available Deny Groups’/>
       <Property name=’selectedTitle’ value=’Assigned Deny Groups’/>
    </Display>
 </Field>

The following example defines a field in the enable form that lists the assigned DenyGroups in a derivation rule of a hidden field:

<Field name=’resourceAccounts.currentResourceAccounts 
  [YourResourceName].attributes.DenyGroups’>
   <Derivation>
       <invoke name=’getList’>
          <invoke name=’getView’>
             <ref>display.session</ref>
             <concat>
                <s>UserViewer:</s>
                <ref>resourceAccounts.id</ref>
             </concat>
             <map>
                <s>TargetResources</s>
                <list>
                   <s>YourResourceName</s>
                </list>
             </map>
          </invoke>
          <s>accounts[YourResourceName].DenyGroups</s>
       </invoke>
    </Derivation>
 </Field>

ID File

The gateway machine generates new IDs for users that are newly registered. They may be placed on a UNC path that is accessible to the gateway process/service. So, specifying \\machine\ids\myidfile.id would put it on the network share.

There might be a need for the gateway to run as a user when configured as a service to get access to the share specified when a user is created. You can assign SYSTEM to have access to shares, but it depends on how the gateway network environment looks.

You can specify that the ID file be stored in the address book also by setting the Store ID In Addr Book resource attribute to TRUE/FALSE.

Rename/Move

The move/rename actions are also performed by the adminp process. A move can be initiated from the rename form by changing the certifierOrgHierarchy attribute and providing the original certifierId file and password for that id file. The move request will create a “Name Move Request” in the requests database and must be completed by the new certifier that represents the user’s new organization. A move can be initiated by changing the user’s first/last name.


Note –

You cannot perform a rename and a move at the same time; the adminp process will not allow this since the request references the canonical name which will be changed in both cases.


Resource Names

The gateway requires that all Domino resources be named uniquely. If you have multiple Identity Manager deployments and they “point” to the same gateway, all of the Domino resources that exist on the deployments must have unique resource names.

Roaming Support

Identity Manager can create roaming users if the resource is a Domino 7.0 or later server. Identity Manager cannot change a user’s roaming status. Therefore, the RoamingUser account attribute cannot be set on existing users.

Gateway Timeouts

The Domino adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.

You must manually add this attribute to the Resource object as follows:

<ResourceAttribute name=’Hang Timeout’ displayName=’com.waveset.adapter.RAMessages:
  RESATTR_HANGTIMEOUT’ type=’int’ description=’com.waveset.adapter.RAMessages:
  RESATTR_HANGTIMEOUT_HELP’ value=’NewValue’>
 </ResourceAttribute>

The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.

Additional Information

This section provides some additional information related to this adapter, including:

ListAllObjects

You can list any object specified in Domino. Pass in the view name as the “type” to the listAllObjects call.

Form Updates

Since some of these operations require additional attributes, default forms must be updated to include these attributes.

The resource definition already defines the attributes that should be passed to the various views.

searchFilter

The following sample UserForm illustrates how the searchFilter option for the getResourceObjects method can be implemented for Domino. This form finds all users with the last name Smith on the resource MyResource. Users are displayed by internal identifier, such as com.waveset.object.GenericObject%4014a614a6, rather than account IDs.

<DOCTYPE Configuration PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Configuration name='Domino searchFilter Form' wstype=UserForm'"
 <Extension>
  <Form>
   <Display class=’EditForm’/>
   <Field name=’rcwfield’>
      <Display class=’MultiSelect’>
         <Property name=’title’ value=’My Lister’/>
         <Property name=’availableTitle’ value=’Listing available items’/>
         <Property name=’selectedTitle’ value=’Selected Item(s)’/>
         <Property name=’allowedValues’>
         <block trace=’true’>
               <invoke name=’getResourceObjects’ class=’com.waveset.ui.FormUtil’>
                  <ref>:display.session</ref>
                  <s>People</s>
                  <s>MyResource</s>
                  <Map>
                     <MapEntry key=’searchAttrsToGet’>
                        <List>
                           <String>LastName</String>
                           <String>ShortName</String>
                           <String>MailFile</String>
                        </List>
                     </MapEntry>
                     <MapEntry key=’searchFilter’ value=’@IsAvailable(LastName) &amp; 
@Contains(@LowerCase(LastName);"smith")’/>
                  </Map>
               </invoke>
         </block>
         </Property>
        </Display>
        <Disable>
         <i>0</i>
        </Disable>
     </Field>
  </Form>
 </Extension>
</Configuration>

Other Form Issues

Attributes Configured to be Passed Into Views

Actions

The following variables are available for use in before and after actions:

The WSUSER_UNID variable refers to the Lotus Notes universal ID. This variable cannot be referenced until after the account has been created.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager uses the Sun Identity Manager Gateway to communicate with Domino.

Required Administrative Privileges

None

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter.

Feature  

Supported?  

Enable/disable account 

Yes 

Rename account 

Yes 

Pass-through authentication 

No 

Before/after actions 

Yes 

Data loading methods 

  • Import from resource

  • Reconciliation

  • Active Sync

Account Attributes

The following table provides information about Domino account attributes. The default data type is string, unless otherwise indicated.

Resource User Attribute  

Description  

alternateOrgUnit

The organizational unit for the user in the alternate language. 

AltFullName

The user’s full name, in the user’s native language 

AltFullNameLanguage

The language associated with the alternate full name. 

Assistant

The name of an assistant. 

CalendarDomain

The domain name for the calendar. 

CellPhoneNumber

The user’s cell phone number. 

certifierIDFile

Path to the certifier ID file relative to the gateway machine (overrides value on resource) 

CertifierOrgHierarchy

Path of certifier’s organization hierarchy, such as /US1 (overrides value on resource) 

CheckPassword

Integer. 

0 = no check 

1 = check 

2 = Disable user 

Children

The name or names of the employee’s children. 

City

The city of the user’s home address. 

Comment

A comment about the user. 

CompanyName

The company the user works for. 

Country

The country of the user’s home address. 

credentials

Password for the certifier ID file (overrides value on resource) 

dbQuotaSizeLimit

Specifies the maximum size of the user’s mail database. If you specify a value less than 1000, then the maximum size is in megabytes (MB). If the value is 1000 or greater, then the maximum size is expressed in bytes. Values between 1001 and 1023 are rounded up to 1024 bytes. 

The proxy administrator must be listed as an Administrator in the Server document to set this attribute. 

dbQuotaWarningThreshold

Specifies the size of a user’s mail database at which point a warning about the size of the database is generated. If you specify a value less than 1000, then the threshold is in megabytes (MB). If the value is 1000 or greater, then the threshold is expressed in bytes. Values between 1001 and 1023 are rounded up to 1024 bytes. 

The proxy administrator must be listed as an Administrator in the Server document to set this attribute. 

defaultPasswordExp

Number of days for new certificates to be issued (create, recertify operations)

deleteMailFileOption

Overrides the resource attribute: 

  • 0: Do not delete mail file

  • 1: Delete just mail file specified in person record

  • 2: Delete mail file specified in person record and all replicas

    Note: If configured to delete the mailfile an adminp request will be queued and must be approved natively before it is deleted.

DenyGroups

A list of users that are to be denied access to the resource. 

Department

The department name or number of the user. 

DisplayName

The user’s displayed name. 

EmployeeID

The unique employee ID for the user. 

firstname

The user’s first name. 

HomeFAXPhoneNumber

The user’s home fax/phone number 

HTTPPassword

Password to be used when accessing a Notes server from a web browser or other HTTP client. 

idFile

Full qualified path to the ID file relative to the gateway machine. 

gateway machine

 

InternetAddress

 

JobTitle

The user’s job title. 

lastModified

A string representation of the last date and time the user was modified. 

lastname

The user’s last name 

Location

Office location or mail stop 

MailAddress

The user’s e-mail address. 

MailDomain

Domain name of user’s mail server 

MailFile

The name of the mail file, such as MAIL\JSMITH 

mailOwnerAccess

Indicates the access control level for the mailbox owner. Possible values are 0 (manager), 1(designer), and 2 (editor). 

This attribute is not in the schema map by default. The attribute is applicable only when creating users. 

MailServer

The user’s mail server name. 

MailTemplate

Name of mail template. Only valid during create. 

Manager

The user’s manager. 

MiddleInitial

Middle initial with a trailing period. 

NetUserName

The user’s network account name. 

NotesGroups

 

objectGUID

The user’s NotesID. 

OfficeCity

The city of the user’s work address. 

OfficeCountry

The country of the user’s work address. 

OfficeFAXPhoneNumber

The fax number of the user’s work address. 

OfficeNumber

The office number of the user’s work address. 

OfficePhoneNumber

The phone number of the user’s work address. 

OfficeState

The state or province of the user’s work address. 

OfficeStreetAddress

The street address of the user’s work address. 

OfficeZIP

The postal code of the user’s work address. 

orgUnit

 

password

The user’s password 

PasswordChangeInterval

Integer. The number of days after which the user must supply a new password. 

PasswordGracePeriod

The number of days after the password has expired before the user is locked out. 

PhoneNumber

The user’s home telephone number. 

PhoneNumber_6

 

Policy

The explicit policy for the user. The value of the Explicit Policy Name resource parameter overrides this attribute. This parameter is applicable only for Domino 7.0 or later.

Profiles

The profile assigned to the user. This value overrides any profile specified as a resource parameter. This attribute is applicable only for Domino 7.0 and higher. 

Recertify

Boolean. Flag to indicate you would like to recertify a user. 

RoamCleanPer

When RoamCleanSetting is 1, the number of days between cleanings. 

RoamCleanSetting

Specifies when Domino cleans up the user’s roaming files. Valid values are 

0 (Never) 

1 (Periodically) 

2 (When the Domino server shuts down) 

3 (Prompt the user) 

RoamingUser

When set to 1, specifies that the user is a roaming user. 

RoamRplSrvrs

A list of servers where the user’s roaming files are to be replicated. 

RoamSrvr

Specifies the server where the user’s roaming files are to be located. 

RoamSubdir

Specifies the directory that will contain the user’s roaming files. 

SametimeServer

Hierarchical name of the user’s sametime server. 

ShortName

Short user name commonly used by a foreign mail system. 

Spouse

The name of the user’s spouse. 

State

The state or province in the user’s home address. 

StreetAddress

The address of the user’s home address. 

Suffix

The user’s generational qualifier 

Title

The user’s title 

WebSite

The user’s web site. 

WS_USER_PASSWORD

Attribute used to send user’s current password during user change password requests. 

x400Address

 

Zip

The postal code of the user’s home address. 

Resource Object Management

Identity Manager manages the following native Domino objects

Table 12–1 Native Domino Objects

Resource Object 

Supported Features 

Attributes Managed 

Group 

create, delete, list, rename, saveas, update 

ConflictAction, Group_Main, AvailableForDirSync,DeleteNTUserAccount, DocumentAccess, Form, GroupName, GroupTitle, GroupType, InternetAddress, ListCategory, ListDescription, ListName, ListOwner, LocalAdmin, MailDomain, MailVerify, Owner, Type, Members, MemberPeople, MemberGroups 

Identity Template

Domino stores the identity of each user in the userid file. However, that same user name is stored in the user record in the FullName attribute. That attribute is multi-valued, and the first one in the list is unique. The first name in the list is stored in canonical format and is similar to the following:

CN=Joe T Smith/O=MyCompany

Using this name we can get to the record of the Name and address book. Identity Manager stores this string on the resourceInfo in its “nice” form, which looks like:

Joe T Smith/MyCompany

Domino has built-in functions to convert names back and forth at the API level. Identity Manager also stores the NOTEID as the GUID attributes, and whenever possible uses this global identifier to look up users in Domino.

The default identity template is:

$firstname$ $MiddleInitial$ $lastname$$CertifierOrgHierarchy$

Depending on the environment, the middle initial may not be not included.

Sample Forms

DominoActiveSyncForm.xml

Dominogroupcreate.xml

Dominogroupupdate.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following class:

com.waveset.adapter.DominoResourceAdapter

Tracing can also be enabled on the following methods to diagnose problems connecting to the gateway: